Uploaded image for project: 'OpenOLAT'
  1. OpenOLAT
  2. OO-4292

RestAPI: can't create new groups in a course

    XMLWordPrintable

    Details

      Description

      Creating new groups in a course with /repo/courses/{courseId}/groups results in a 401 error (not authorized). This patch fixes that: 

      diff --git a/src/main/java/org/olat/restapi/repository/course/CourseGroupWebService.java b/src/main/java/org/olat/restapi/repository/course/CourseGroupWebService.java
      index 58623e9..4dc1509 100644
      --- a/src/main/java/org/olat/restapi/repository/course/CourseGroupWebService.java
      +++ b/src/main/java/org/olat/restapi/repository/course/CourseGroupWebService.java
      @@ -51,6 +51,8 @@
       import org.olat.core.util.vfs.QuotaManager;
       import org.olat.core.util.vfs.VFSContainer;
       import org.olat.core.util.vfs.VFSManager;
      +import org.olat.course.CourseFactory;
      +import org.olat.course.ICourse;
       import org.olat.group.BusinessGroup;
       import org.olat.group.BusinessGroupService;
       import org.olat.group.model.SearchBusinessGroupParams;
      @@ -212,7 +214,8 @@
       	@Consumes({MediaType.APPLICATION_XML, MediaType.APPLICATION_JSON})
       	@Produces({MediaType.APPLICATION_XML, MediaType.APPLICATION_JSON})
       	public Response putNewGroup(GroupVO group, @Context HttpServletRequest request) {
      -		if(!RestSecurityHelper.isGroupManager(request)) {
      +		ICourse icourse = CourseFactory.loadCourse(course.getResourceableId());
      +		if(!RestSecurityHelper.isGroupManager(request) && !RestSecurityHelper.isOwnerGrpManager(icourse, request)) {
       			return Response.serverError().status(Status.UNAUTHORIZED).build();
       		} else if(course == null) {
       			return Response.serverError().status(Status.NOT_FOUND).build();
      diff --git a/src/main/java/org/olat/restapi/security/RestSecurityHelper.java b/src/main/java/org/olat/restapi/security/RestSecurityHelper.java
      index 8804b11..d67190c 100644
      --- a/src/main/java/org/olat/restapi/security/RestSecurityHelper.java
      +++ b/src/main/java/org/olat/restapi/security/RestSecurityHelper.java
      @@ -79,6 +79,19 @@
       		}
       	}
       	
      +	public static boolean isOwnerGrpManager(ICourse course, HttpServletRequest request) {
      +		try {
      +			Roles roles = getRoles(request);
      +			if(roles.isAdministrator()) return true;
      +			CourseGroupManager cgm = course.getCourseEnvironment().getCourseGroupManager();
      +			UserRequest ureq = getUserRequest(request);
      +			Identity identity = ureq.getIdentity();
      +			return cgm.isIdentityCourseAdministrator(identity) || cgm.hasRight(identity, CourseRights.RIGHT_GROUPMANAGEMENT);
      +		} catch (Exception e) {
      +			return false;
      +		}
      +	}
      +
       	public static boolean isAuthorGrpManager(ICourse course, HttpServletRequest request) {
       		try {
       			Roles roles = getRoles(request);
      

      BTW: The function isAuthorGrpManager() is not used and in this context not correct because an author would get the right to create groups in any course.

        Figma for Jira By 42nd

          Attachments

            Activity

              People

              Assignee:
              srosse Stéphane Rossé
              Reporter:
              stephan Stephan Clemenz
              Tester:
              Mandy Menzel
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: